MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a68210378135bd42e9a1a8e854fb0cab06f58ffcab9a8583f0654fe9807c5555. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CobaltStrike


Vendor detections: 6


Intelligence 6 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a68210378135bd42e9a1a8e854fb0cab06f58ffcab9a8583f0654fe9807c5555
SHA3-384 hash: 6e1aea06c0cd507e650fd82d1f57921826c7c1d1349db09a42b843716788ae85cab4da5f55f94013990dc8afd7cf0b70
SHA1 hash: bf9b8a5b335473feadc66a387fffbf92a1761e16
MD5 hash: 1b4a43af72a61bb0934d91ecb933c91e
humanhash: fix-ack-quiet-south
File name:p32.exe
Download: download sample
Signature CobaltStrike
Create hunting rule
File size:131'760 bytes
First seen:2020-07-10 08:09:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dde4bd43d804238c0d14c0d6702d6f39 (2 x CobaltStrike, 1 x Amadey)
ssdeep 1536:Je2l6XVn5tsuPmN9HFIVhzJj9jnDuNfzWRIpcs4jv+BcH/RBBmssWjcd3UKN1ahR:JsFX4F4zd9zbD+KJBB83UKNMD
Threatray 83 similar samples on MalwareBazaar
TLSH B8D35B0436D08035D0725E31A6A877D2C978FD768B6D8E9B77CC0A4FCAB8DD11636A63
Reporter JAMESWT_WT
Tags:CobaltStrike

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
CobaltStrikeBeacon
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24316/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a68210378135bd42e9a1a8e854fb0cab06f58ffcab9a8583f0654fe9807c5555/
Threat name:
Win32.Trojan.TrickBot
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 00:45:49 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2bban4bgw6uf2nbvdufj6ymvmdpld74vonila7qmvh6tad4kvkq._file
Verdict:
malicious
Similar samples:
164f816dc125ab0a507134a82a20c5c0de872f66b6a7a56a848d52819e49cb9c
CobaltStrike
2f72550c99a297558235caa97d025054f70a276283998d9686c282612ebdbea0
CobaltStrike
34d38e1cf8761561180c63079d63c277b92959359278be8d020391524dece203
CobaltStrike
389f2000a22e839ddafb28d9cf522b0b71e303e0ae89e5fc2cd5b53ae9256848
CobaltStrike
3dfb4e7ca12b7176a0cf12edce288b26a970339e6529a0b2dad7114bba0e16c3
CobaltStrike
4d71f1eab01045de9ae76ea248be7746bad70c12ad977eeb6e8f8e46bbce6395
CobaltStrike
57a395267a680f4909efd096007d6ec86254502ae1c33a70733f0ccef85c4791
CobaltStrike
70eae6d411554b0587f9bc3e7e7cc753e81b8086310dc5fa8181c44632fe1ada
CobaltStrike
8668a50a557e2b402d105cd44953bcb7f2a854b34ed6fa89daabe706f809ce32
CobaltStrike
96c441a2676616cbc2869de5adf4215bdad4603d970f956cc3de927301599257
CobaltStrike
+ 73 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200710-h8fh3qxqxe/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Beacon_K5om
Create hunting rule
Author:Florian Roth
Description:Detects Meterpreter Beacon - file K5om.dll
Reference:https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Rule name:CobaltStrike_Sleep_Decoder_Indicator
Create hunting rule
Author:yara@s3c.za.net
Description:Detects CobaltStrike sleep_mask decoder
Rule name:CobaltStrike_Unmodifed_Beacon
Create hunting rule
Author:yara@s3c.za.net
Description:Detects unmodified CobaltStrike beacon DLL
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:Leviathan_CobaltStrike_Sample_1
Create hunting rule
Author:Florian Roth
Description:Detects Cobalt Strike sample from Leviathan report
Reference:https://goo.gl/MZ7dRg
Rule name:Malware_QA_vqgk
Create hunting rule
Author:Florian Roth
Description:VT Research QA uploaded malware - file vqgk.dll
Reference:VT Research QA
Rule name:PowerShell_Susp_Parameter_Combo
Create hunting rule
Author:Florian Roth
Description:Detects PowerShell invocation with suspicious parameters
Reference:https://goo.gl/uAic1X
Rule name:ReflectiveLoader
Create hunting rule
Description:Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended
Reference:Internal Research
Rule name:WiltedTulip_ReflectiveLoader
Create hunting rule
Author:Florian Roth
Description:Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip
Reference:http://www.clearskysec.com/tulip

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CobaltStrike

Executable exe a68210378135bd42e9a1a8e854fb0cab06f58ffcab9a8583f0654fe9807c5555

(this sample)

  
Link
http://91.235.129.41/p32.exe
  
URLhaus
https://urlhaus.abuse.ch/url/410753/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24316/

Comments